She said the banking sector is a major source of complaints to her office, reflecting the banks' collection of customer data and the fact that banking privacy law has a track record of more than four years.

The federal privacy commissioner says three years of misdirected faxes by Canadian Imperial Bank of Commerce represents a serious breakdown of privacy practices that may reflect a widespread problem in Canadian business.

"We're concerned that other businesses look to this experience as a model of what to do and what not to do," commissioner Jennifer Stoddart said yesterday, as she released her report into CIBC's errant faxing of customer information in Canada and the United States.

Ms. Stoddart said the CIBC case is a wakeup call to companies that have developed privacy policies, but failed to set up processes and training to alert the entire organization to systemic failures.

"This is a pitfall that could be more widespread in Canadian business," she said in an interview. "We adopt a policy, we think we've done it and then we realize we haven't done the fire drills."

The commissioner was responding to complaints arising from news reports last November that West Virginia scrap yard operator Wade Peer had received CIBC faxes containing personal customer information for three years. A Dorval, Que., firm also reported it had received CIBC faxes containing personal customer information.

Mr. Peer is suing CIBC for allegedly clogging his fax lines, affecting his business. The case is scheduled to be heard in district court in Baltimore, starting May 9.

Ms. Stoddart said she met with CIBC chief executive officer John Hunkin 11 days ago, and was told the bank has made "a major investment" in privacy practices. CIBC must submit a written report within six weeks, followed by a verification audit by Ms. Stoddart's staff.

A staff memo released yesterday from chief privacy officer Ron Lalonde said the bank accepted the commissioner's findings, and has begun to implement all recommended changes.

Mr. Lalonde said the bank was focusing on three elements: to create a national database and reporting mechanism to capture privacy matters; to develop a process to identify and deal with potential issues; and to put resources into solutions rather than one-off fixes.

For example, the bank has designated individuals as contacts in each business, and has set up a privacy intranet for employees.

The privacy commissioner said the CIBC affair showed that simply publishing a policy does not mean a company is complying with privacy legislation. Ms. Stoddart said she is also concerned that the misdirected faxing continued to occur over three years, that attempts to stop the problem were ineffective and that the bank did not appropriately recover personal information, or notify customers until the breach had become public.

"The chief privacy officer didn't hear of those problems and they weren't recognized as systemic privacy problems," Ms. Stoddart said.

She said the banking sector is a major source of complaints to her office, reflecting the banks' collection of customer data and the fact that banking privacy law has a track record of more than four years.

Her office said it is dealing with two other complaints regarding misdirection of faxes within the banking sector.

Regarding Mr. Peer's case, earlier this month U.S. district judge Andre Davis declined judgment on a CIBC request for mitigated damages, deciding to leave the matter initially to a jury.

However, in a memo to counsel, the judge said he believed that "six to eight adults armed with common sense and mature judgment will readily agree with [the] defendant that this entire exercise has been some kind of 'stick-up job,' aimed at a large foreign bank by a struggling startup company that has tried to leverage a minor inconvenience into a lottery jackpot."